UNOFFICIAL COPY 24 RS BR 321
Page 1 of 6
XXXX 10/4/2023 2:27 PM Jacketed
AN ACT relating to violations of privacy. 1
Be it enacted by the General Assembly of the Commonwealth of Kentucky: 2
SECTION 1. A NEW SECTION OF KRS CHAPTER 454 IS CREATED TO 3
READ AS FOLLOWS: 4
(1) As used in this section, unless context requires otherwise: 5
(a) 1. "Biometric identifier" means a retina or iris scan, fingerprint, 6
voiceprint, or scan of hand or face geometry. 7
2. Biometric identifiers do not include: 8
a. Writing samples, written signatures, photographs, human 9
biological samples used for valid scientific testing or screening, 10
demographic data, tattoo descriptions, or physical descriptions 11
such as height, weight, hair color, or eye color; 12
b. Donated organs, tissues, or blood or serum stored on behalf of 13
recipients or potential recipients of living or cadaveric 14
transplants and obtained or stored by a federally designated 15
organ procurement agency; 16
c. Information captured from a patient in a health care setting or 17
information collected, used, or stored for health care treatment, 18
payment, or operations under the federal Health Insurance 19
Portability and Accountability Act of 1996; or 20
d. Any X-ray, roentgen process, computed tomography, MRI, PET 21
scan, mammography, or other image or film of the human 22
anatomy used to diagnose or treat an illness or other medical 23
condition or to further validate scientific testing or screening; 24
(b) "Biometric information" means any information, regardless of how it is 25
captured, converted, stored, or shared, based on an individual's biometric 26
identifier used to identify an individual. Biometric information does not 27 UNOFFICIAL COPY 24 RS BR 321
Page 2 of 6
XXXX 10/4/2023 2:27 PM Jacketed
include information derived from items or procedures excluded under the 1
definition of biometric identifiers; and 2
(c) "Facial recognition technology" means computerized technology that helps 3
in discerning and identifying human faces using biometrics to map facial 4
features from a photo or video and comparing this information with a large 5
database of recorded faces. 6
(2) It is unlawful, absent a court-approved warrant, for any state or local government 7
agency, or an official thereof, to obtain, retain, request, access, or use: 8
(a) Facial recognition technology; or 9
(b) Information obtained from or by use of facial recognition technology. 10
(3) Once a person is accepted by law enforcement as being a missing person or child, 11
facial recognition technology may be used if there is video or a real time feed 12
available, provided a proven family member or court-approved guardian gives 13
written consent for the use of facial recognition technology. 14
(4) Photographs taken by the Transportation Cabinet, or by any other agency, in 15
order to issue operators' licenses or personal identification cards shall not be sold 16
to any entity and shall not be provided to any state or local government agency 17
for the purpose of using facial recognition technology without a warrant. 18
(5) A private entity in possession of biometric identifiers or biometric information 19
shall develop a written policy, made available to the public, establishing a 20
retention schedule and guidelines for permanently destroying biometric 21
identifiers and biometric information when the initial purpose for collecting or 22
obtaining such identifiers or information has been satisfied or within three (3) 23
years of the individual's last interaction with the private entity, whichever occurs 24
first. Absent a valid warrant or subpoena issued by a court of competent 25
jurisdiction, a private entity in possession of biometric identifiers or biometric 26
information shall comply with its established retention schedule and destruction 27 UNOFFICIAL COPY 24 RS BR 321
Page 3 of 6
XXXX 10/4/2023 2:27 PM Jacketed
guidelines. 1
(6) No private entity may collect, capture, purchase, receive through trade, or 2
otherwise obtain a person's or a customer's biometric identifier or biometric 3
information, unless it first: 4
(a) Informs the subject or the subject's legally authorized representative in 5
writing that a biometric identifier or biometric information is being 6
collected or stored; 7
(b) Informs the subject or the subject's legally authorized representative in 8
writing of the specific purpose and length of term for which a biometric 9
identifier or biometric information is being collected, stored, and used; and 10
(c) Receives a written release executed by the subject of the biometric identifier 11
or biometric information or the subject's legally authorized representative. 12
(7) No private entity in possession of a biometric identifier or biometric information 13
may sell, lease, trade, or otherwise profit from a person's or a customer's 14
biometric identifier or biometric information. 15
(8) No private entity in possession of a biometric identifier or biometric information 16
may disclose, redisclose, or otherwise disseminate a person's or a customer's 17
biometric identifier or biometric information unless: 18
(a) The subject of the biometric identifier or biometric information or the 19
subject's legally authorized representative consents to the disclosure or 20
redisclosure; 21
(b) The disclosure or redisclosure completes a financial transaction requested 22
or authorized by the subject of the biometric identifier or the biometric 23
information or the subject's legally authorized representative; 24
(c) The disclosure or redisclosure is required by law; or 25
(d) The disclosure is required pursuant to a valid warrant or subpoena issued 26
by a court of competent jurisdiction. 27 UNOFFICIAL COPY 24 RS BR 321
Page 4 of 6
XXXX 10/4/2023 2:27 PM Jacketed
(9) A private entity in possession of a biometric identifier or biometric information 1
shall store, transmit, and protect from disclosure all biometric identifiers and 2
biometric information: 3
(a) Using the reasonable standard of care within the private entity's industry; 4
and 5
(b) In a manner that is the same as or more protective than the manner in 6
which the private entity stores, transmits, and protects other sensitive 7
information. 8
SECTION 2. A NEW SECTION OF KRS CHAPTER 411 IS CREATED TO 9
READ AS FOLLOWS: 10
(1) Any violation of Section 1 of this Act constitutes an injury, and any person may 11
institute proceedings for injunctive relief, declaratory relief, or writ of mandamus 12
in any court of competent jurisdiction to enforce Section 1 of this Act. 13
(2) Any person who has been subjected to facial recognition technology in violation 14
of Section 1 of this Act, or about whom information has been obtained, retained, 15
accessed, or used in violation of Section 1 of this Act, may institute proceedings 16
in any court of competent jurisdiction. 17
(3) A prevailing party may recover for each violation: 18
(a) Against an entity that negligently violates a provision of Section 1 of this 19
Act, liquidated damages of one thousand dollars ($1,000) or actual 20
damages, whichever is greater; 21
(b) Against an entity that intentionally or recklessly violates a provision of 22
Section 1 of this Act, liquidated damages of five thousand dollars ($5,000) 23
or actual damages, whichever is greater; 24
(c) Reasonable attorneys' fees and costs, including expert witness fees and 25
other litigation expenses; and 26
(d) Other relief, including an injunction, as the court may deem appropriate. 27 UNOFFICIAL COPY 24 RS BR 321
Page 5 of 6
XXXX 10/4/2023 2:27 PM Jacketed
(4) The Attorney General may bring an action to enforce Section 1 of this Act. In any 1
action brought by the Attorney General, a violation of Section 1 of this Act is 2
subject to a civil penalty of one thousand dollars ($1,000) for each violation. 3
SECTION 3. A NEW SECTION OF KRS CHAPTER 6 IS CREATED TO 4
READ AS FOLLOWS: 5
No information obtained from or by use of facial recognition technology as defined in 6
Section 1 of this Act may be received in evidence in any legislative committee, task 7
force, or other legislative body. 8
SECTION 4. A NEW SECTION OF KRS CHAPTER 13B IS CREATE D TO 9
READ AS FOLLOWS: 10
No information obtained from or by use of facial recognition technology as defined in 11
Section 1 of this Act may be received in evidence in an administrative hearing. 12
SECTION 5. A NEW SECTION OF KRS CHAPTER 23A IS CREATED TO 13
READ AS FOLLOWS: 14
No information obtained from or by use of facial recognition technology as defined in 15
Section 1 of this Act may be received in evidence in any trial, hearing, or other 16
proceeding. 17
SECTION 6. A NEW SECTION OF KRS CHAPTER 24A IS CREATED TO 18
READ AS FOLLOWS: 19
No information obtained from or by use of facial recognition technology as defined in 20
Section 1 of this Act may be received in evidence in any trial, hearing, or other 21
proceeding. 22
SECTION 7. A NEW SECTION OF KRS CHAPTER 29A IS CREATED TO 23
READ AS FOLLOWS: 24
No information obtained from or by use of facial recognition technology as defined in 25
Section 1 of this Act may be received in evidence before a grand jury. 26
SECTION 8. A NEW SECTION OF THE KENTUCKY RULES OF 27 UNOFFICIAL COPY 24 RS BR 321
Page 6 of 6
XXXX 10/4/2023 2:27 PM Jacketed
EVIDENCE IS CREATED TO READ AS FOLLOWS: 1
Evidence obtained by use of facial recognition technology, as defined in applicable 2
statutes, is not admissible. 3